How to secure a WordPress website with SSL and redirect from HTTP to HTTPS

Learn how to redirect your WordPress website from HTTP to HTTPS

Do your customers trust your business? If they didn’t, they probably wouldn’t be doing business with you in the first place, right? The same holds true for your website. Can your customers and website visitors trust in a safe and secure environment when they are visiting your website? What can you do to secure your website with encryption?

HTTPS Encryption
Image Source: VISHNU_KV – Pixabay.com / License: Public Domain CC0

As the online representation of your business, it’s essential to establish that same level of trust in customers, prospects, and other website visitors if it’s going to be successful in fulfilling your business goals. If you want to foster that trust in your online audience, the first place to start is by creating a safe online environment for them – which means it would be highly recommended to move your website to HTTPS, especially on the long run.

In 2014 Google announced on their official blog that security and encryption is a top priority. This basically means that Google wants to enforce strong HTTPS encryption by default for all websites. In return websites with implemented SSL certificates may benefit from higher rankings in the search engine. The importance of HTTPS as ranking signal may increase even more in the future when SSL encryption has become standard for all websites.

The importance of HTTPS (SSL)

SSL (Secure Sockets Layer) is a security technology for establishing an encrypted link between a web server and a browser. This ensures that data passed between the web server and browsers remains private and integral. SSL is used already by millions of websites around the globe and is the industry standard for protecting online transactions. To encrypt a website and establish a secure SSL connection it is necessary to install a SSL certificate on the web server. The SSL certificate is linked to your domain and the internet browser will display that the site is secure.

Array Internet HTTPS

Take a moment to look at the address bar at the top of your browser window. You’ll notice that the domain URL for this website is preceded by https://. This stands for Hypertext Transfer Protocol Secure, which is an encrypted method of connecting visitors to a website. Using Transport Layer Security (TLS), HTTPS websites are inherently more secure than HTTP as they encrypt the connection between a client (computer) and a server (website).

PayPal HTTPS

While your site’s visitors may not be aware of the difference between HTTP and HTTPS, many of them are cognizant of the green padlock in the address bar which is indicative of a secure connection. According to GlobalSign, roughly 29% of visitors want to see that green padlock in the address bar and 35% want to see the name of your company there too. Not having the green padlock may negatively affect your business because customers may not trust your site. Even more, from October 2017 non-HTTPS sites will be labeled as “Not Secure” in Google’s Chrome browser.

Benefits of moving your website to HTTPS (SSL)

Online Privacy
Image Source: geralt – Pixabay.com / License: Public Domain CC0

You may already have noticed that more and more major global websites are using SSL encryption (HTTPS) to secure their connections. SSL has already been standard for online banking transactions for years, and also websites like Google, Facebook, LinkedIn, Twitter and many more are using SSL certificates to establish encrypted and secure online connections. If you’re grappling with the idea of moving your website to HTTPS, consider the following:

  • HTTPS ensures a safer shopping and browsing experience for your site’s visitors — especially if you run an e-commerce website (though HTTPS really should be a consideration for all sites).
  • HTTPS can also provide you with a more secure login connection to your own website.
  • Google gives a boost in search rankings to websites that use HTTPS, which is good for SEO.
  • HTTPS helps build trust by providing that green “secure connection” indicator in the address bar.
  • HTTPS encryption requires a minimal investment of money and time to get you up and running.

Secure your website with SSL and redirect old URLs to HTTPS

With the mentioned benefits of an encrypted website in mind, you probably want to get started, right? Want to see how easy it is to take your website from HTTP to HTTPS? People sometimes run into issues where some resources like stylesheets, JavaScript files or plugins are not working correctly anymore after moving their WordPress site to HTTPS.

To avoid these issues, it’s important to ensure that all resources and elements on your WordPress site are loading via HTTPS. Luckily there are helpful tools and plugins that can do the work for you to ensure SSL encryption on your WordPress site. Check out the steps below for more information on how to move your website correctly to HTTPS:

  1. Get an SSL certificate
  2. Redirect to HTTPS with .htaccess
  3. Clean up insecure content
  4. Update tools and links that point to your site
Security Department
Image Source: JuralMin – Pixabay.com / License: CC0 Public Domain

Fortunately, Google and many other sites have also published detailed best practices to make TLS adoption easier, and to avoid common mistakes. Here are already some basic tips to get started with SSL:

  • Decide the kind of SSL certificate you need: single, multi-domain, or wildcard certificate.
  • Use 2048-bit key certificates.
  • Use relative URLs for resources that reside on the same secure domain.
  • Otherwise use protocol relative URLs for all other domains.
  • Check out Google’s “Site moves with URL changes” article for more guidelines.
  • Don’t block your HTTPS site from crawling using robots.txt.
  • Allow indexing by search engines where possible. Avoid the noindex robots meta tag.

Step 1: Get an SSL certificate

Cyber World
Image Source: insspirito – Pixabay.com / License: Public Domain CC0

In order to establish an HTTPS connection for your website, you need an SSL certificate. Why? Because the certificate is what validates your secure connection and will keep visitors’ (as well as your own) logins, financial information, and other personal data safe. It’s also what adds that highly trusted green padlock (and possibly your company name) to the address bar of your website. There are three different types of SSL certificates to consider:

  1. Domain Validation certificates are the most basic form of validation. They cover a single domain and don’t require any paperwork. They’re also the cheapest of the three.
  2. Organization Validation certificates offer more security than basic domain validation. With these certificates, you’ll get the green padlock in the address bar.
  3. Extended Validation certificates offer the highest level of security and take longer to process. With these certificates, you’ll get the green padlock as well as your authenticated business name in the address bar.

Once you’ve determined which type of SSL certificate you need, you can check with Let’s Encrypt to see if they offer the certificate you need (all of which are free on their site). There also are other companies which offer SSL certificates, for example GeoTrust, GlobalSign or Symantec. As an alternative you can check with your hosting provider or CDN to see what sort of SSL certificates you can purchase from them (which may be easier for beginners).

Step 2: Redirect with .htaccess

Redirect old URLs
Image Source: Isaque Pereira – Pexels.com / License: Public Domain CC0

While you can make updates to your site’s address at the host and WordPress level, it’s best to manage the redirect right within your .htaccess file. Go to your WordPress website’s root folder, and then add the following code to your .htaccess file (backup your old .htaccess file first!):

RewriteEngine On
RewriteCond %{HTTPS} Off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

The above code will ensure that a 301 (permanent) redirect from HTTP to HTTPS is forced — which will be especially important for SEO purposes to redirect your backlinks. Based on the structure of your .htaccess, you need to add the redirect where it works out. If you want to redirect a WordPress website from HTTP to HTTPS, the end result could look like this:

# HTTPS Rewrite
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

# Remove www from URL
RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
RewriteRule ^(.*)$ https://%1/$1 [R=301,L]

The example also shows how you can get rid of the www at the beginning of your URL by redirecting to the non-www version. If not already taken care of, then this is something you might want to consider as well in order to prevent issues with duplicate content on your website, which would be bad for SEO and may hurt your rankings in search engines like Google, Bing or Yahoo.

Step 3: Clean up insecure content

SSL Insecure Content Fixer
Image Source: Screenshot – WordPress.org

After redirecting your website to HTTPS, all elements on your website need to be secure. In the case that relative URLs have not been used throughout your website – this includes images, JavaScript files, scripts, and more – you’ll need to go through and remove the hard-coded URLs so your website doesn’t throw “mixed content” warnings.

Velvet Blues Update URL
Image Source: Screenshot – WordPress.org

Basically, if you’ve moved your website to HTTPS, but any of the content / files / links within it still reside on HTTP, the security of the website will be compromised and visitors to the website will be notified (which is not good). The SSL Insecure Content Fixer plugin can help with this issue. The Velvet Blues Update URLs plugin also helps with fixing embedded links.

Update links (SEO) width=
Image Source: WDnet – Pixabay.com / License: CC0 Public Domain

Once your WordPress website has been set up with HTTPS, everyone will be redirected to the correct, secure version of it even if they type in the old URL. That being said, it’s still recommended to update your URL on any third-party sites or tools for better SEO and the sake of keeping everything consistent. Here are some of the places where you’ll want to update the old links that are pointing to your HTTP site:

  • Google Analytics & Google Webmaster Tools (Search Console)
  • Sitemaps to reflect the new URLs
  • Social media profiles like Facebook, Twitter, Google+, Pinterest or else
  • Website content that contains external links to your site
  • Any third-party tool that integrates with your site (like a CRM or email platform)

Wrapping up: Moving from HTTP to HTTPS

In terms of developing trust with your audience, a migration from HTTP to HTTPS might be one of the easiest (and most affordable) ways to accomplish this. The benefits to your business-increased security in accessing the site, improved SEO, and more — cannot be ignored either. So if you’re ready to make the switch, get your SSL certificate and start making this much-needed redirect! If you want to provide any feedback or in case you have questions about moving your site to HTTPS, please let us know in the comments below.

About Brenda
Brenda is a writer at Array Internet from Southern California. She specializes in WordPress, technology, and business. When not writing all the things, she's spending time with her family.

4 Comments

  1. Very nice and thorough article! I also want to add that there is a browser extension for Firefox, Chrome, and Opera which encrypts the communication between websites and the browser. I highly recommend that everyone installs this browser extension, the name is: HTTPS Everywhere.

  2. Hi, thanks for this helpful guide. I’ve read on some SEO blogs that people have lost rankings and traffic from search engines after switching to HTTPS. Is this true and if yes, how can I avoid this?

    • Hi Peter, when you switch your site from HTTP to HTTPS, your website basically will have a new URL without backlinks or credibility. That’s one of the reasons why it’s highly important that you 301 redirect the old URLs correctly to the new URLs so that the linkjuice and pagerank won’t get lost.

      However, it’s indeed not unlikely that you’ll see some volatility in rankings after you’ve moved your site to HTTPS and redirect the old URLs. But after some time things should be back to normal and there shouldn’t be negative impacts, you may even rank better. Google usually just needs some time to process this.

  3. Hi, I’ve tried this but I’m having some problems. I need to redirect in a certain order:

    1. http://example.com => https://example.com
    2. https://example.com => https://www.example.com
    

    And I need to remove / at the end. With curl -i I now see on request that it’s not redirected to www and have / at the end. Here is my .htaccess with the redirects. What’s wrong?

    # HTTPS Rewrite
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    
    # BEGIN WordPress
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress
    
    RewriteCond %{HTTP_HOST} ^mydomain.com [NC]
    RewriteRule ^(.*)$ https://www.mydomain.com/$1 [L,R=301]
    

Leave a Reply

Your email address will not be published.


*